Protecting against xss

It is very important to protect your site against xss attacks. Xss vulnerabilities can crop up if you let users input data and you do not guard against user inputting unsafe characters!

There are a a few different ways a Xss vulnerability can crop up.
If your site automatically echoes out the exact url found in your the url bar for instance through canonical tags (pointless tags for seo pruposes) then you might be in trouble. Also Xss code can be added to search forms that us GET. This is because the site does not either check for certain characters that could allow a hacker to break your code for example “?> or the site does not encode these character when echoing out the tag your site will be vulnerable to an attack.

To check this use the following code:

'';!--"<XSS>=&{()}

Once you have added this code you should now be able to see via the source code as to whether it has broken your html or has been encoded. In some instances if your site does not allow for bad characters there should just a be an error page.

Sometimes though hackers will try to tricks such as filter evasions to trick the system that protects your site from invalid characters by encoding the url themselves. Such as using

%3C

this is a way of encoding the break character >

Remember xss vulnerabilities do not always have to be in the main functions or forms of your site and can be hidden even in the smallest bit of code and forms. If you are running content management systems like wordpress always keep your themes, plugins and install update to and make sure that your webhost uses you should be fine.